directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefan Seelmann (JIRA)" <>
Subject [jira] Updated: (DIRSTUDIO-263) Add certificate validation for ldaps and StartTLS
Date Mon, 18 May 2009 19:43:45 GMT


Stefan Seelmann updated DIRSTUDIO-263:

    Fix Version/s: 1.5.0

Basic certificate validation is implemented: First the default JVM validation is called (which
uses the <JAVA_HOME>/lib/security/cacerts keystore by default). If the verification
fails the user is asked if s/he wants to trust the certificate. It works with Sun 5 and 6,
JRockit 6 and IBM 5. There are problems with Harmony and IBM 6 (which is based on Harmony),
seems like Harmony hasn't implemented StartTLS yet, I have to investigate.

The next steps are:

* Show the certificate details to the user. I'd suggest to create a certificate dialog that
shows the certificate and the chain, like in Firefox. We could reuse this a dialog for a certificate
and certificate list value editor. Such a dialog already exists in Eclipse, it pops up if
you install a new plugin and the plugin isn't signed from a known CA. Unfortunately this dialog
is only internal and not accessible from outside.

* Allow permanent trust of a certificate. Therefor we need to create a custom keystore and
put permanent trusted certificate chains into it. A preference page to manage these certificates
would also be helpful, e.g. if the user added accidentially a certificate and wants to remove

* Enable hostname verification. This is quite tricky, see Marius' comment.
  - For ldaps:// JNDI doesn't verify hostnames at all. The solution shown by Marius (see the
link above) seems to work, however the class "HostnameChecker" is a Sun JDK specific class
in package "".
  - For StartTLS JNDI verifies hostnames by default. However if the verification fails, the
connection is closed. But we should ask the user if s/he wants to trust the certificate anyway.
  - Looks like we need a custom hostname checker. But that is quite complex because we have
to deal with IPv4 and IP46 addresses, hostnames, wildcards; the hostname could be the cn or
one of the subject alias, etc.

* An additional step would be to implement SASL EXTERNAL authentication using a client certificate.

> Add certificate validation for ldaps and StartTLS
> -------------------------------------------------
>                 Key: DIRSTUDIO-263
>                 URL:
>             Project: Directory Studio
>          Issue Type: Improvement
>          Components: studio-connection
>            Reporter: Stefan Seelmann
>            Assignee: Stefan Seelmann
>            Priority: Minor
>             Fix For: 1.5.0
> We have encrypted connections using ldaps:// or the StartTLS extended operation, but
the certificate isn't validated as we always use a DummySSLSocketFactory.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message